OSX SSH login

Setting Up Key-Based SSH Login
http://developer.apple.com/library/mac/#documentation/MacOSXServer/Conceptual/XServer_ProgrammingGuide/Articles/SSH.html

SSH, or secure shell, is a protocol that allows users to securely log in, administer, or transfer files between remote computers. This article outlines the process of setting up key-based SSH login on Mac OS X and Mac OS X Server.

For more information about SSH see the OpenSSH homepage. Key-based authentication is helpful for tasks such as automating file transfers and backups, and using with fail-over scripts because it allows computers to communicate without a user having to type in a password.

Important: With the power of key-based authentication comes risk. If the private key you generate becomes compromised, unauthorized users will have access to your computers. You need to determine whether the advantages of key-based authentication are worth the risk.
Generating a Key Pair

To set up key-based SSH, you must generate the keys the two computers will use to establish and validate the identity of each other. To do this run, the following commands in Terminal:

Check to see whether a .ssh folder exists in your home directory by running the command ls -ld ~/.ssh. If .ssh is listed in the output, move to step 2. If .ssh is not listed in the output, run mkdir ~/.ssh and continue to step 2.
Run: cd ~/.ssh
Run: ssh-keygen -b 1024 -t dsa -f id_dsa -P ''
This command generates the public and private keys. The -b flag sets the length of the keys to 1,024-bits, -t indicates to use the DSA hashing algorithm, -f sets the file name as id_dsa, and -P '' sets the private key password to be null. The null private key password allows for automated SSH connections.

Run: touch authorized_keys2
Run: cat id_dsa.pub >> authorized_keys2
Run: chmod 400 id_dsa
The permissions on the private key must be set so that the file is not world readable.

Run: scp authorized_keys2 username@remotemachine:~/.ssh/
This command copies the public key and the authorized key lists to the specified user's home directory on the remote computer. If you need to establish two-way communication between servers, repeat the above process on the second computer. It is not secure to copy the private key of one computer to another computer. This process must be repeated for each user that needs to be able to open a key-based SSH session. The root user is not excluded from this requirement. The home folder for the root user on Mac OS X Server is located at /var/root/.

Key-base SSH Use With Scripting

A cluster of servers is an ideal environment for using key-based SSH. The following Perl script is a trivial example that should not be implemented. It demonstrates connecting over a SSH tunnel to all of the servers defined in the variable serverList, running softwareupdate, installing any available updates, and restarting the computer if necessary. The script assumes that key-based SSH has been properly set up for the root user on all of the servers to be updated.

#!/usr/bin/perl
# \@ is the escape sequence for the "@" symbol.
my @serverList = ('root\@exampleserver1.example.com',
'root\@exampleserver2.example.com');
foreach $server (@serverList) {
open SBUFF, "ssh $server -x -o batchmode=yes 'softwareupdate -i -a' |";
while(<SBUFF>) {
my $flag = 0;
chop($_);
#check for restart text in $_
my $match = "Please restart immediately";
$count = @{[$_ =~ /$match/g]};
if($count > 0) {
$flag = 1;
}
}
close SBUFF;

if($flag == 1) {
`ssh $server -x -o batchmode=yes shutdown -r now`
}

}
NextPrevious